Now there's an assertion which requires either isNormalUser or isSystemUser, so we set one of them for all the users we have already.
320 lines
8.1 KiB
320 lines
8.1 KiB
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <>
# SPDX-License-Identifier: Apache-2.0
{ depot, lib, pkgs, rebuilder, config, ... }:
inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.clouvider-lon01;
aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
in {
imports = [
boot.initrd = {
availableKernelModules = [
network = {
enable = true;
ssh = {
enable = true;
hostKeys = ["/persist/etc/ssh/ssh_host_ed25519_key"];
authorizedKeys = map builtins.readFile config.users.users.lukegb.openssh.authorizedKeys.keyFiles;
postCommands = ''
echo "zfs load-key -a; killall zfs" >> /root/.profile
boot.kernelParams = [
boot.kernelModules = [ "kvm-intel" ];
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
fileSystems = let
zfs = device: {
device = device;
fsType = "zfs";
in {
"/" = zfs "tank/local/root";
"/nix" = zfs "tank/local/nix";
"/persist" = zfs "tank/safe/persist";
"/home" = zfs "tank/safe/home";
"/boot1" = {
device = "/dev/disk/by-partlabel/boota";
fsType = "vfat";
"/boot2" = {
device = "/dev/disk/by-partlabel/bootb";
fsType = "vfat";
nix.maxJobs = lib.mkDefault 8;
# Use GRUB, so we can have mirrored bootloaders.
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
version = 2;
zfsSupport = true;
efiSupport = true;
mirroredBoots = map (path: {
inherit path;
devices = ["nodev"];
efiSysMountPoint = path;
}) ["/boot1" "/boot2"];
# Networking!
networking = {
hostName = "clouvider-lon01";
domain = "";
hostId = "29aaa324";
nameservers = [
useDHCP = false;
defaultGateway = {
address = "";
interface = "br-ext";
defaultGateway6 = {
address = "2a0a:54c0:0:17::1";
interface = "br-ext";
| = ["enp1s0f0"];
| = {
ipv4.addresses = [{ address = ""; prefixLength = 31; }];
ipv6.addresses = [{ address = "2a0a:54c0:0:17::2"; prefixLength = 126; }];
interfaces.lo = {
ipv4.addresses = [{ address = ""; prefixLength = 8; }] ++ (
map (address: { inherit address; prefixLength = 32; }) aliasIPs);
ipv6.addresses = [{ address = "::1"; prefixLength = 128; }];
firewall = {
allowPing = true;
allowedTCPPorts = [
80 443 # HTTP/nginx
6697 # znc
34197 # factorio
allowedUDPPorts = [
34197 # factorio
extraCommands = ''
# Allow SSH on public interfaces.
iptables -A INPUT -p tcp --dport 22 --dst -j ACCEPT
iptables -A INPUT -p tcp --dport 22 --dst ${} -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 --dst 2a0a:54c0:0:17::2 -j ACCEPT
my.ip.tailscale = "";
services.openssh.openFirewall = false; # allowed by networking.firewall.extraCommands
services.openssh.hostKeys = [
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
users.users = {
lukegb.extraGroups = [ "bird2" ];
minotarproxy = {
isSystemUser = true;
users.groups = {
znc-acme = {
members = [ "znc" "nginx" ];
services.lukegbgp = let local = {
asn = 205479;
}; in {
enable = true;
config = {
local = {
routerID = "";
export = {
v4 = [""];
peering = {
clouvider = {
local = local // {
v4 = "";
v6 = "2a0a:54c0:0:17::2";
remote = {
asn = 62240;
export_community = 3000;
routers = [{
v4 = "";
v6 = "2a0a:54c0:0:17::1";
services.znc = {
enable = true;
mutable = true;
dataDir = "/persist/etc/znc";
useLegacyConfig = false;
security.acme = {
acceptTerms = true;
email = "";
certs."" = {
webroot = "/var/lib/acme/.challenges";
group = "znc-acme";
extraDomainNames = [""];
services.nginx = {
enable = true;
virtualHosts = {
"" = {
default = true;
listen = [
{addr = ""; port = 80; ssl = false;}
{addr = "[2a0a:54c0:0:17::2]"; port = 80; ssl = false;}
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
locations."/" = {
return = "301 https://$host$request_uri";
| = {
description = "Minotar proxy";
wants = [""];
wantedBy = [""];
serviceConfig = {
ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind= --autocert_insecure_bind= --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
User = "minotarproxy";
Restart = "always";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
systemd.tmpfiles.rules = [
"d /run/minotarproxy 0700 minotarproxy - -"
systemd.mounts = let
bindMount' = dir: {
unitConfig.RequiresMountsFor = dir;
options = "bind";
what = "/persist${dir}";
where = dir;
bindMountSvc = dir: svc: (bindMount' dir) // {
bindsTo = [svc];
partOf = [svc];
bindMountSvcDynamic = dir: svc: (bindMount' "/var/lib/private/${dir}") // {
requiredBy = [svc];
before = [svc];
wantedBy = [""];
bindMount = dir: (bindMount' dir) // {
wantedBy = [""];
in [
(bindMountSvcDynamic "factorio" "factorio.service")
environment.etc."secrets/gitlab-runner-registration" = {
text = ''
mode = "0600";
services.gitlab-runner = {
enable = true;
concurrent = 1;
services = {
deployer = {
registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
executor = "shell";
tagList = [ "cacher" ];
gracefulTermination = true;
gracefulTimeout = "4min";
package = depot.nix.pkgs.heptapod-runner;
users.users.gitlab-runner = {
isNormalUser = true;
group = "nogroup";
createHome = true;
home = "/srv/gitlab-runner";
nix.gc.automatic = false;
services.factorio = {
inherit (secrets.factorio) username token;
enable = true;
package = pkgs.factorio-headless-experimental;
saveName = "lukegb20201124";
game-name = "Briefcase Full of Bees";
extraSettings = {
admins = ["lukegb"];
auto_pause = true;
only_admins_can_pause_the_game = false;
game_password = secrets.factorioServerPassword;
non_blocking_saving = true;
autosave_only_on_server = true;
autosave_interval = 5;
autosave_slots = 60;
my.quotesdb.listen = [
system.stateVersion = "20.09";